2 * hostapd - PMKSA cache for IEEE 802.11i RSN
3 * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
22 #include "eapol_auth/eapol_auth_sm.h"
23 #include "eapol_auth/eapol_auth_sm_i.h"
24 #include "pmksa_cache.h"
27 static const int pmksa_cache_max_entries
= 1024;
28 static const int dot11RSNAConfigPMKLifetime
= 43200;
30 struct rsn_pmksa_cache
{
31 #define PMKID_HASH_SIZE 128
32 #define PMKID_HASH(pmkid) (unsigned int) ((pmkid)[0] & 0x7f)
33 struct rsn_pmksa_cache_entry
*pmkid
[PMKID_HASH_SIZE
];
34 struct rsn_pmksa_cache_entry
*pmksa
;
37 void (*free_cb
)(struct rsn_pmksa_cache_entry
*entry
, void *ctx
);
42 static void pmksa_cache_set_expiration(struct rsn_pmksa_cache
*pmksa
);
45 static void _pmksa_cache_free_entry(struct rsn_pmksa_cache_entry
*entry
)
49 os_free(entry
->identity
);
50 #ifndef CONFIG_NO_RADIUS
51 radius_free_class(&entry
->radius_class
);
52 #endif /* CONFIG_NO_RADIUS */
57 static void pmksa_cache_free_entry(struct rsn_pmksa_cache
*pmksa
,
58 struct rsn_pmksa_cache_entry
*entry
)
60 struct rsn_pmksa_cache_entry
*pos
, *prev
;
63 pmksa
->free_cb(entry
, pmksa
->ctx
);
64 pos
= pmksa
->pmkid
[PMKID_HASH(entry
->pmkid
)];
69 prev
->hnext
= pos
->hnext
;
71 pmksa
->pmkid
[PMKID_HASH(entry
->pmkid
)] =
85 prev
->next
= pos
->next
;
87 pmksa
->pmksa
= pos
->next
;
93 _pmksa_cache_free_entry(entry
);
97 static void pmksa_cache_expire(void *eloop_ctx
, void *timeout_ctx
)
99 struct rsn_pmksa_cache
*pmksa
= eloop_ctx
;
103 while (pmksa
->pmksa
&& pmksa
->pmksa
->expiration
<= now
.sec
) {
104 struct rsn_pmksa_cache_entry
*entry
= pmksa
->pmksa
;
105 pmksa
->pmksa
= entry
->next
;
106 wpa_printf(MSG_DEBUG
, "RSN: expired PMKSA cache entry for "
107 MACSTR
, MAC2STR(entry
->spa
));
108 pmksa_cache_free_entry(pmksa
, entry
);
111 pmksa_cache_set_expiration(pmksa
);
115 static void pmksa_cache_set_expiration(struct rsn_pmksa_cache
*pmksa
)
120 eloop_cancel_timeout(pmksa_cache_expire
, pmksa
, NULL
);
121 if (pmksa
->pmksa
== NULL
)
124 sec
= pmksa
->pmksa
->expiration
- now
.sec
;
127 eloop_register_timeout(sec
+ 1, 0, pmksa_cache_expire
, pmksa
, NULL
);
131 static void pmksa_cache_from_eapol_data(struct rsn_pmksa_cache_entry
*entry
,
132 struct eapol_state_machine
*eapol
)
137 if (eapol
->identity
) {
138 entry
->identity
= os_malloc(eapol
->identity_len
);
139 if (entry
->identity
) {
140 entry
->identity_len
= eapol
->identity_len
;
141 os_memcpy(entry
->identity
, eapol
->identity
,
142 eapol
->identity_len
);
146 #ifndef CONFIG_NO_RADIUS
147 radius_copy_class(&entry
->radius_class
, &eapol
->radius_class
);
148 #endif /* CONFIG_NO_RADIUS */
150 entry
->eap_type_authsrv
= eapol
->eap_type_authsrv
;
151 entry
->vlan_id
= ((struct sta_info
*) eapol
->sta
)->vlan_id
;
155 void pmksa_cache_to_eapol_data(struct rsn_pmksa_cache_entry
*entry
,
156 struct eapol_state_machine
*eapol
)
158 if (entry
== NULL
|| eapol
== NULL
)
161 if (entry
->identity
) {
162 os_free(eapol
->identity
);
163 eapol
->identity
= os_malloc(entry
->identity_len
);
164 if (eapol
->identity
) {
165 eapol
->identity_len
= entry
->identity_len
;
166 os_memcpy(eapol
->identity
, entry
->identity
,
167 entry
->identity_len
);
169 wpa_hexdump_ascii(MSG_DEBUG
, "STA identity from PMKSA",
170 eapol
->identity
, eapol
->identity_len
);
173 #ifndef CONFIG_NO_RADIUS
174 radius_free_class(&eapol
->radius_class
);
175 radius_copy_class(&eapol
->radius_class
, &entry
->radius_class
);
176 #endif /* CONFIG_NO_RADIUS */
177 if (eapol
->radius_class
.attr
) {
178 wpa_printf(MSG_DEBUG
, "Copied %lu Class attribute(s) from "
179 "PMKSA", (unsigned long) eapol
->radius_class
.count
);
182 eapol
->eap_type_authsrv
= entry
->eap_type_authsrv
;
183 ((struct sta_info
*) eapol
->sta
)->vlan_id
= entry
->vlan_id
;
187 static void pmksa_cache_link_entry(struct rsn_pmksa_cache
*pmksa
,
188 struct rsn_pmksa_cache_entry
*entry
)
190 struct rsn_pmksa_cache_entry
*pos
, *prev
;
192 /* Add the new entry; order by expiration time */
196 if (pos
->expiration
> entry
->expiration
)
202 entry
->next
= pmksa
->pmksa
;
203 pmksa
->pmksa
= entry
;
205 entry
->next
= prev
->next
;
208 entry
->hnext
= pmksa
->pmkid
[PMKID_HASH(entry
->pmkid
)];
209 pmksa
->pmkid
[PMKID_HASH(entry
->pmkid
)] = entry
;
211 pmksa
->pmksa_count
++;
212 wpa_printf(MSG_DEBUG
, "RSN: added PMKSA cache entry for " MACSTR
,
213 MAC2STR(entry
->spa
));
214 wpa_hexdump(MSG_DEBUG
, "RSN: added PMKID", entry
->pmkid
, PMKID_LEN
);
219 * pmksa_cache_auth_add - Add a PMKSA cache entry
220 * @pmksa: Pointer to PMKSA cache data from pmksa_cache_auth_init()
221 * @pmk: The new pairwise master key
222 * @pmk_len: PMK length in bytes, usually PMK_LEN (32)
223 * @aa: Authenticator address
224 * @spa: Supplicant address
225 * @session_timeout: Session timeout
226 * @eapol: Pointer to EAPOL state machine data
227 * @akmp: WPA_KEY_MGMT_* used in key derivation
228 * Returns: Pointer to the added PMKSA cache entry or %NULL on error
230 * This function create a PMKSA entry for a new PMK and adds it to the PMKSA
231 * cache. If an old entry is already in the cache for the same Supplicant,
232 * this entry will be replaced with the new entry. PMKID will be calculated
235 struct rsn_pmksa_cache_entry
*
236 pmksa_cache_auth_add(struct rsn_pmksa_cache
*pmksa
,
237 const u8
*pmk
, size_t pmk_len
,
238 const u8
*aa
, const u8
*spa
, int session_timeout
,
239 struct eapol_state_machine
*eapol
, int akmp
)
241 struct rsn_pmksa_cache_entry
*entry
, *pos
;
244 if (pmk_len
> PMK_LEN
)
247 entry
= os_zalloc(sizeof(*entry
));
250 os_memcpy(entry
->pmk
, pmk
, pmk_len
);
251 entry
->pmk_len
= pmk_len
;
252 rsn_pmkid(pmk
, pmk_len
, aa
, spa
, entry
->pmkid
,
253 wpa_key_mgmt_sha256(akmp
));
255 entry
->expiration
= now
.sec
;
256 if (session_timeout
> 0)
257 entry
->expiration
+= session_timeout
;
259 entry
->expiration
+= dot11RSNAConfigPMKLifetime
;
261 os_memcpy(entry
->spa
, spa
, ETH_ALEN
);
262 pmksa_cache_from_eapol_data(entry
, eapol
);
264 /* Replace an old entry for the same STA (if found) with the new entry
266 pos
= pmksa_cache_auth_get(pmksa
, spa
, NULL
);
268 pmksa_cache_free_entry(pmksa
, pos
);
270 if (pmksa
->pmksa_count
>= pmksa_cache_max_entries
&& pmksa
->pmksa
) {
271 /* Remove the oldest entry to make room for the new entry */
272 wpa_printf(MSG_DEBUG
, "RSN: removed the oldest PMKSA cache "
273 "entry (for " MACSTR
") to make room for new one",
274 MAC2STR(pmksa
->pmksa
->spa
));
275 pmksa_cache_free_entry(pmksa
, pmksa
->pmksa
);
278 pmksa_cache_link_entry(pmksa
, entry
);
284 struct rsn_pmksa_cache_entry
*
285 pmksa_cache_add_okc(struct rsn_pmksa_cache
*pmksa
,
286 const struct rsn_pmksa_cache_entry
*old_entry
,
287 const u8
*aa
, const u8
*pmkid
)
289 struct rsn_pmksa_cache_entry
*entry
;
291 entry
= os_zalloc(sizeof(*entry
));
294 os_memcpy(entry
->pmkid
, pmkid
, PMKID_LEN
);
295 os_memcpy(entry
->pmk
, old_entry
->pmk
, old_entry
->pmk_len
);
296 entry
->pmk_len
= old_entry
->pmk_len
;
297 entry
->expiration
= old_entry
->expiration
;
298 entry
->akmp
= old_entry
->akmp
;
299 os_memcpy(entry
->spa
, old_entry
->spa
, ETH_ALEN
);
300 entry
->opportunistic
= 1;
301 if (old_entry
->identity
) {
302 entry
->identity
= os_malloc(old_entry
->identity_len
);
303 if (entry
->identity
) {
304 entry
->identity_len
= old_entry
->identity_len
;
305 os_memcpy(entry
->identity
, old_entry
->identity
,
306 old_entry
->identity_len
);
309 #ifndef CONFIG_NO_RADIUS
310 radius_copy_class(&entry
->radius_class
, &old_entry
->radius_class
);
311 #endif /* CONFIG_NO_RADIUS */
312 entry
->eap_type_authsrv
= old_entry
->eap_type_authsrv
;
313 entry
->vlan_id
= old_entry
->vlan_id
;
314 entry
->opportunistic
= 1;
316 pmksa_cache_link_entry(pmksa
, entry
);
323 * pmksa_cache_auth_deinit - Free all entries in PMKSA cache
324 * @pmksa: Pointer to PMKSA cache data from pmksa_cache_auth_init()
326 void pmksa_cache_auth_deinit(struct rsn_pmksa_cache
*pmksa
)
328 struct rsn_pmksa_cache_entry
*entry
, *prev
;
334 entry
= pmksa
->pmksa
;
338 _pmksa_cache_free_entry(prev
);
340 eloop_cancel_timeout(pmksa_cache_expire
, pmksa
, NULL
);
341 for (i
= 0; i
< PMKID_HASH_SIZE
; i
++)
342 pmksa
->pmkid
[i
] = NULL
;
348 * pmksa_cache_auth_get - Fetch a PMKSA cache entry
349 * @pmksa: Pointer to PMKSA cache data from pmksa_cache_auth_init()
350 * @spa: Supplicant address or %NULL to match any
351 * @pmkid: PMKID or %NULL to match any
352 * Returns: Pointer to PMKSA cache entry or %NULL if no match was found
354 struct rsn_pmksa_cache_entry
*
355 pmksa_cache_auth_get(struct rsn_pmksa_cache
*pmksa
,
356 const u8
*spa
, const u8
*pmkid
)
358 struct rsn_pmksa_cache_entry
*entry
;
361 entry
= pmksa
->pmkid
[PMKID_HASH(pmkid
)];
363 entry
= pmksa
->pmksa
;
366 os_memcmp(entry
->spa
, spa
, ETH_ALEN
) == 0) &&
368 os_memcmp(entry
->pmkid
, pmkid
, PMKID_LEN
) == 0))
370 entry
= pmkid
? entry
->hnext
: entry
->next
;
377 * pmksa_cache_get_okc - Fetch a PMKSA cache entry using OKC
378 * @pmksa: Pointer to PMKSA cache data from pmksa_cache_auth_init()
379 * @aa: Authenticator address
380 * @spa: Supplicant address
382 * Returns: Pointer to PMKSA cache entry or %NULL if no match was found
384 * Use opportunistic key caching (OKC) to find a PMK for a supplicant.
386 struct rsn_pmksa_cache_entry
* pmksa_cache_get_okc(
387 struct rsn_pmksa_cache
*pmksa
, const u8
*aa
, const u8
*spa
,
390 struct rsn_pmksa_cache_entry
*entry
;
391 u8 new_pmkid
[PMKID_LEN
];
393 entry
= pmksa
->pmksa
;
395 if (os_memcmp(entry
->spa
, spa
, ETH_ALEN
) != 0)
397 rsn_pmkid(entry
->pmk
, entry
->pmk_len
, aa
, spa
, new_pmkid
,
398 wpa_key_mgmt_sha256(entry
->akmp
));
399 if (os_memcmp(new_pmkid
, pmkid
, PMKID_LEN
) == 0)
408 * pmksa_cache_auth_init - Initialize PMKSA cache
409 * @free_cb: Callback function to be called when a PMKSA cache entry is freed
410 * @ctx: Context pointer for free_cb function
411 * Returns: Pointer to PMKSA cache data or %NULL on failure
413 struct rsn_pmksa_cache
*
414 pmksa_cache_auth_init(void (*free_cb
)(struct rsn_pmksa_cache_entry
*entry
,
415 void *ctx
), void *ctx
)
417 struct rsn_pmksa_cache
*pmksa
;
419 pmksa
= os_zalloc(sizeof(*pmksa
));
421 pmksa
->free_cb
= free_cb
;